b'Annual Report, \xe2\x80\x9cFederal Information Security Management Act: Fiscal Year 2011\nEvaluation\xe2\x80\x9d (IG-12-002, October 17, 2011)\n\nThis annual report, submitted as a memorandum from the Inspector General to the NASA\nAdministrator, provides the Office of Management and Budget (OMB) with our\nindependent assessment of NASA\xe2\x80\x99s information technology (IT) security posture. For\nFY 2011, we adopted a risk-based approach in which we selected high- and moderate-\nimpact non-national security Agency systems for review. We examined 25 systems that\nincluded systems from all 10 NASA Centers, NASA Headquarters, and the NASA Shared\nServices Center.\n\nAlthough our audit work identifies challenges to and weaknesses in NASA\xe2\x80\x99s IT security\nprogram, we believe that the Agency is steadily working to improve its overall IT security\nposture.\n\nOur report to OMB addressed the 11 required areas of review for FY 2011 Federal\nInformation Security Management Act (FISMA) reporting:\n   \xe2\x80\xa2   Risk Management\n   \xe2\x80\xa2   Configuration Management\n   \xe2\x80\xa2   Incident Response and Reporting\n   \xe2\x80\xa2   Security Training\n   \xe2\x80\xa2   Plan of Action and Milestones (POA&M)\n   \xe2\x80\xa2   Remote Access Management\n   \xe2\x80\xa2   Identity and Access Management\n   \xe2\x80\xa2   Continuous Monitoring Management\n   \xe2\x80\xa2   Contingency Planning\n   \xe2\x80\xa2   Contractor Systems\n   \xe2\x80\xa2   Security Capital Planning\n\nOverall, the Agency established and is maintaining a program for each of the 11 areas\nlisted above. However, the Agency\xe2\x80\x99s programs for risk management, configuration\nmonitoring management, and POA&M need significant improvements as they do not\ninclude all required attributes identified by the Department of Homeland Security.\n\nOMB\xe2\x80\x99s Fiscal Year 2011 Report to Congress on the Implementation of The Federal\nInformation Security Management Act of 2002 includes information from our report.\nHowever, as an\xe2\x80\x9cIntra-Agency Memorandum,\xe2\x80\x9d our report is considered exempt from\nrelease under the Freedom of Information Act (FOIA); it also contains NASA Information\nTechnology/Internal Systems Data that is not routinely released under FOIA. To submit\na FOIA request, see the online guide.\n\x0c'